31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
08/06/2024, 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe
Size

134KB
MD5

9c9fad95b0911b813d97c4deeafaf459
SHA1

3d50a2bcc3d7f1a31ab0a8792d8e4e21598302fe
SHA256

31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8
SHA512

a6817ab42d6e4f04b225de12b30b9a4560fe706f6c3b1dbb4d164c9d4ffa3ae28a1787cd7ab03fada00b010ef7e4412b83ccbe680611440acb03e6490844b292
SSDEEP

1536:rF0AJELopHG9aa+9qX3apJzAKWYr0v7ioy6paK2AZqMIK7aGZh38Q5:riAyLN9aa+9U2rW1ip6pr2At7NZuQ5

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 5 IoCs

resource	yara_rule
behavioral1/memory/2244-1-0x00000000001C0000-0x00000000001E8000-memory.dmp	UPX
behavioral1/files/0x0031000000015d12-2.dat	UPX
behavioral1/memory/2060-7-0x0000000000010000-0x0000000000038000-memory.dmp	UPX
behavioral1/memory/2060-9-0x0000000000010000-0x0000000000038000-memory.dmp	UPX
behavioral1/memory/2244-10-0x00000000001C0000-0x00000000001E8000-memory.dmp	UPX

Executes dropped EXE 1 IoCs

pid	Process
2060	WwanSvc.exe

Loads dropped DLL 1 IoCs

pid	Process
2244	31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2244-1-0x00000000001C0000-0x00000000001E8000-memory.dmp	upx
behavioral1/files/0x0031000000015d12-2.dat	upx
behavioral1/memory/2060-7-0x0000000000010000-0x0000000000038000-memory.dmp	upx
behavioral1/memory/2060-9-0x0000000000010000-0x0000000000038000-memory.dmp	upx
behavioral1/memory/2244-10-0x00000000001C0000-0x00000000001E8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Window Update = "\"C:\\ProgramData\\Update\\WwanSvc.exe\" /run"	31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2060	2244	31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe	28
PID 2244 wrote to memory of 2060	2244	31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe	28
PID 2244 wrote to memory of 2060	2244	31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe	28
PID 2244 wrote to memory of 2060	2244	31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe	28

C:\Users\Admin\AppData\Local\Temp\31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe
"C:\Users\Admin\AppData\Local\Temp\31f9a2a2788c1ed8cf117da9c997265ac17a7f0ab9ad60528ac590bc1ec4d9e8.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2244
- C:\ProgramData\Update\WwanSvc.exe
  "C:\ProgramData\Update\WwanSvc.exe" /run
  2⤵
  - Executes dropped EXE
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\Update\WwanSvc.exe

Filesize
134KB

MD5
927128a54aff1b4bccc0ce05ef1a6cab

SHA1
950a73018a41ec40d404c8199471d0d7516fcf81

SHA256
e426cb8bb3654f93e21c9af071f714033d06048dd2b66d736a0ec0d1e3db7c94

SHA512
561219c7551970959c7256786d5b61e3ef06c09ee00f25f2c5935e7d443b509a66b85c9d29b4b43fcca06f4725eb7f337700e39a690273cc1a8fd69e86415caa

Download Submit
memory/2060-7-0x0000000000010000-0x0000000000038000-memory.dmp

Filesize
160KB

Download
memory/2060-9-0x0000000000010000-0x0000000000038000-memory.dmp

Filesize
160KB

Download
memory/2244-1-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download
memory/2244-6-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2244-8-0x0000000000080000-0x00000000000A8000-memory.dmp

Filesize
160KB

Download
memory/2244-10-0x00000000001C0000-0x00000000001E8000-memory.dmp

Filesize
160KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads